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(54) Accelerated finite field operations on an elliptic curve 

(57) A method for multiplication of a point P on ellip- 
tic curve E by a value k in order to derive a point kP 
comprises the steps of representing the number k as 
vector of binary digits stored in a register and forming a 
sequence of point pairs (P1, P2) wherein the point 
pairs differed most by P and wherein the suc- 
cessive series of point pairs are selected either 
by computing (2mP,(2m+1)P) from (mP,(m+1)P) or 
((2m+1)P,(2m+2)P) from (mP,(m+1)P). The computa- 
tions may be performed without using the y-coordinate 
of the points during the computation while allowing the 
y-coordinate to be extracted at the end of the computa- 
tions, thus, avoiding the use of inversion operations dur- 
ing the computation and therefore, speeding up the 
cryptographic processor functions. A method is also dis- 
closed for accelerating signature verification between 
two parties. 
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Description 



This invention relates 
formed in a field 

5 



to a method of accelerating operations in a finite field, and in particular, to operations per- 



such as used in encryption systems. 
BACKGROUND OF THE INVENTION 

Finite fields of characteristic two in 



75 

are of interest since 

20 



F 2 „ 



they allow for the efficient implementation of elliptic curve arithmetic. The field 



can 



be viewed as a vector space of dimension m over F 2 . Once a basis of 



25 



30 



35 



over F 2 has been chosen the elements of 



F 2 - 



40 



50 



"".'SIS'SL Pieces utilizes the EtGam* pubtic My signature scheme the, signs a message 
Various ptotoeots exist for impJemertng such a rthmj, nd some h»ebe «v *^y ^ 

communicating the signatures. 

In a typical implementation a signature component s has the form. 

s = ae + k (mod n) where: 



55 key R = kP ; 
a is the long 
e is a secur< 
n is the order of the curve. 
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The sender sends to the recipient a message including m, s. and R and the signature is verified by computing the value 
ft' - (sP-eQ) which should correspond to R. If the computed values are equivalent then the signature is verified. 

In order to perform the verification it is necessary to compute a number of point multiplications to obtain sP and eQ, 
each of which is computationally complex. 
5 If F q is a finite field, then elliptic curves over F q can be divided into two classes, namely supersingular and non- 

supersingular curves. If F q is of characteristic 2, i.e. q = 2 M , then the classes are defined as follows. 

i) The set of all solutions to the equation y 2 + ay = x 3 + bx + c where a,b,c € F q ,a*0, together with a special 
point called the point at infinity O is a supersingular curve over F q . 
10 ii) The set of all solutions to the equation y 2 +xy = x 3 + ax 2 +b where a,b e F q ,b*0, together with a special point 

called the point at infinity O is a nonsupersingular curve over F q . 

By defining an appropriate addition on these points, we obtain an additive abelian group. The addition of two points 
P(*i>Yi) and Q(x 2 ,y 2 ) for the supersingular elliptic curve E with y 2 + ay = x 3 + bx + c is given by the following:- 
15 If P = (x 7 .y r ) g E ; then define - P = (x v y 1 + a). P + O = O + P = P for all P e E. 

If Q = {x 2 ,y 2 ) e E and O * - P , then the point representing the sum of P + O. is denoted (x 3 ,y 3 ), where 



20 



25 



or 



I CI 



and 



30 



35 



or 



40 



45 




The addition of two points P(x 1f y 1 ) and Q(x 2 ,y2) for the nonsupersingular elliptic curve y 2 + xy = x 3 + sx 2 + b 
is given by the following :- 

If P = (x v y r ) e E then define - P = {x 1 ,y 1 + x T ) . For all P e E, O + P = P + O = P. If O = (x 2 ,y 2 ) e E and 
Q ?t - P , then P + Q is a point {x 3t y 3 ), where 

50 
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Xj 



(p*Q) </ 



©xJ X/©X 



to 



or 



]and 



Xi 



(P-Q) 
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or 



25 



xi©|x;e^|®X,©X3 
X/ y 



30 



35 



40 



45 



50 



55 



,n turn, each o1 these operations requires a sequence ^^^^^a^ or generally most crypto- 
When implementing cryptographic operations m EIGama or +p added k times) M9 k is 

graphic operations with elliptic curves, one ^"^^J? £ " 0 be oomp ^ d k-1 times. For large values of k 
a positive integer and P e E. Th.s requ.res the corrp^on of to P ^aered impractical for data 

which are typically necessary in ^^^^^^S^ocm^ 2™ add-ons of P. 

journal of Cryptology. a method is described for adding ^o £ ^^^^ of ^ inversion is at me 

eliminating the inversion computafon. However *e °ven*l gamm J re imermediate results when doing the 

SUMMARY OF THE INVENTION 

advantages are obviated or mitigated. multiDlving finite field elements, and which may be imple- 
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It is a still further object of the present invention to provide a method and apparatus in which signature verification 
may be accelerated in elliptic curve encryption systems. 

In accordance with this invention there is provided a method of determining a multiple of a point P on an elliptic 
curve defined over a field F 2 M. sa,d method comprising steps of 

5 

a) representing the number k as a vector of binary digits kf t 

b) forming a pair of points P 7 and P 2 , wherein the point P 1 and P 2 differ at most by P\ and 

c) selecting each of the /c, in turn and for each of the k h 

w upon the k g being a one, adding the pair of points P 1 and P 2 to form a new point P 1 and adding the point P to 

P 1 to form a new point P 2 , the new points replacing the pair of points P 1 and P 2 \ or 

upon the k t being a zero, doubling the point P 1 to form a new point P 1 and adding the point P to form a new 
point P 2t the new points replacing the pair of points Pj and P 2 , whereby the product kP is obtained from the 
point P r in MA steps and wherein M represents the number of digits in k. 

15 

Furthermore, the inventors have implemented a method whereby computation of a product kP can be performed 
without the use of the y coordinate of the point P during computation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

20 

Embodiments of the present invention will now be described by way of example only with reference to the accom- 
panying drawings in which: - 

Figure 1 is a schematic representation of a data communication system; 
25 Figure 2 is a schematic diagram of an encryption/decryption unit; 
Figure 3 is a flow chart for computing a multiple of a point; 
Figure 4 is a flow chart showing the extraction of an y-coordinate; and 
Figure 5 is an illustration of an embodiment of the present invention. 

30 DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

Referring to Figure 1, a data communication system 2 includes a pair of correspondents, designated as a sender 
10, and a recipient 12, connected via a communication channel 14. Each of the correspondents 10, 12 includes an 
encryption/decryption unit 16 associated therewith that may process digital information and prepare it for transmission 
35 through the channel 14 as will be described below! The encryption/decryption units implement amongst, others key 
exchange protocols and an encryption/decryption algorithm. 

The module 16 is shown schematically in Figure 2 and includes an arithmetic logic unit 20 to perform the compu- 
tations including key exchange and generation. A private key register 22 contains a private key, d, generated for exam- 
ple as a 155 bit data string from a random number generator 24, and used to generate a public key stored in a public 
40 key register 26. A base point register 28 contains the co-ordinates of a base point P that lies in the elliptic curve selected 
with each coordinate (x, y), represented as a 1 55 bit data string. Each of the data strings is a vector of binary digits with 
each digit being the coefficient of an element of the finite field in the normal basis representation of the co-ordinate. 

The elliptic curve selected will have the general form y 2 + xy = x 3 + ax 2 +b and the parameters of that curve, 
namely the coefficients a and b are stored in a parameter register 30. The contents of registers 22, 24, 26, 28, 30 may 
45 be transferred to the arithmetic unit 20 under control of a CPU 32 as required 

The contents of the public key register 26 are also available to the communication channel 14 upon a suitable 
request being received. In the simplest implementation, each encryption module 16 in a common secure zone will oper- 
ate with the same curve and base point so that the contents of registers 28 and 30 need not be accessible. If further 
sophistication is required, however, each module 1 6 may select its own curve and base point in which case the contents 
so of registers 28, 30 have to be accessible to the channel 14. 

The module 16 also contains an integer register 34 that receives an integer k, the session seed, from the generator 
24 for use in encryption and key exchange. The module 16 has a random access memory (RAM) 36 that is used as a 
temporary store as required during computations. 

In accordance with a general embodiment, the sender assembles a data string, which includes amongst others, the 
55 public key Q of the sender, a message m, the senders short term public key R and a signature component s of the 
sender. When assembled the data string is sent over the channel 4 to the intended recipient 12. 

For simplicity it will be assumed that the signature component s of the sender 12 is of the form s = ae + k (mod n) 
as discussed above although it will be understood that other signature protocols may be used. To verify the signature 
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sP-eQ must be computed and compared with R. a|so ^ computed 

puting sP and eQ. re cioient may adopt the following to calculate the coordinates 

In order to accelerate the calculation of sP or eQ the reap en may a pi ^ ^ under|yjnflfield 

Of the new point sP, in order to avoid performing the 9 ^^!S!^!S!Zl» method as shown in figure 3. 
F 2 ™. The recipient may calculate sP by resortmg to the a "douWe and add" method for multiplication a 

2 Referring to figure 3 one embodiment of the ^^^S^^S^^ * representing * in rts 

point P on an elliptic curve £ by a value * m ^ '°.^^^^ x up P Each successive digit of k is considered 
oTnary form. Next a successive ser.es o ( ™^^SSon of k. the first of the pair of points is doubled 

' « ma, be seen the M result 2 3P is *^^^^iTS^S™ «i ™r*er of -double and 

pel, of point, in the field «herein the ^XtuS^oTE * U (m 1) tithes. This tnethod of double and odd' 
add- operations equals at most one lass than .the murnbo a Ms in K ,* t t^ b erformedByapro<; esso.Th.s 

in "Sn n ,n 0 ba*to,r«^la fc no,sPar-e0.theree^ 
for the nonsupersingular elliptic curve y 2 + xy = x + „ + b, Edetmeac 



F 2 . 



30 



35 



^ 3 „h p -fx P«*±Pj>. are points on the 

If p 1= (x v y n ) and P 2 =(x 2 ,y 2 j, r n ^_ 2 . 

P i+ P 2 = (x 3 ,y 3 ) where, 



curve E then we can define 

0) 



wherein the slope of the curve is given by: 



40 



y 2 + yi 

Xr, + X n 



Similarly, if -P 2 = (x 2 . y 2 +x 2 ) and P , - P 2 = fx 4 . V 4) then. 



45 



^ 2 + X + x 1+ x 2 + a-^ + — 

V*1 



+ A. + 



*1 + *2 



+ x-, + x 2 + a 



(2) 



50 



where 



y 2 + x 2 + y 

x 2 + X-j 



Xo 

: ^— + A, 

x 2 + x., 
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if we add x 3 and x 4 then, 
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* 3 + *4 = — - — 2 + v-hr = — L - s -i < 3 ) 

(X 1+ X 2 ) 2 *1 +X 2 (X 1+ X 2 ) 2 

5 To compute the x-coordinate x 3 of (Pj + P 2 ) we only need the x-coordinates o< P 1t P 2 and (P-, -P 2 ), however the 

computation is not optimally efficient as it requires inversions. It may also be noted that the y-coordinate is not needed 
in these calculations. 

Referring back to figure 2, the value kP may be calculated using the "double and add" method. Whenever a new 
pair of points is computed the addition formula of equation (3) above is used and this is done m times. 
10 Thus we have a formula for x 3 involving x 1( x 2 and X4. Unfortunately, this formula includes an inversion, which is 
costly. We can modify this equation as follows, suppose the values of x 1t x 2 and x 3 are given by 



15 



25 



40 



where of x 1( x 2 , x 3 z 1t z 2 , z 3 are values maintained during the double and add algorithm. Then substituting these new 
representations into formula (3), we find 



20 x^ 

Xg Z 1 Z 2 X-j X 2 Z ^Z 2 X ^[x <yZ 2 + -^2^1^ ^"•^1'^2^1^2 



. 2 



= X A + 



(il + ll) 2 (x^z 2 + x 2 z,) 2 (x,z 2 + x 2 zj 2 



Therefore, if we take x 3 = x 4 (x n z 2 +x 2 z t ) 2 + x n x 2 z .,z 2 , and z 3 = (x 1 z 2 + x 2 z 1 ) 2 . We can execute the "dou- 
ble & add" algorithm of figure 3 (using this new representation) and avoid the computation of an inversion for most of 
the algorithm. 

From equations for x 3 and z 3 above it may be seen that x 3 may be calculated by performing at most four multiplica- 
30 tion operations. 

The sum of the points P^ and P 2 are expressed in terms of x 3 and z 3 is obtained without having to perform a rela- 
tively costly inversion on the x-coordinate, and can be computed using at most four multiplies and two squares. The 
remaining operations of addition and squaring are relatively inexpensive with regard to computational power. The com- 
putation of the term (x^ + x 2 z^) 2 is obtained by a cyclic shift of the normal basis representation of the value within 
35 parentheses for which a general -purpose processor can perform relatively easily. At the end of the algorithm we can 
convert back to our original representation if required. 

Referring back to figure 3, now in order to double point P (x 1f y^, let 2(x , y n ) = (x 3 , y 3 ) then as before if the 
equation of the elliptic curve E is given by y 2 + xy = x 3 + ax 2 + b over F 2 m p the x-coordinate of the point 2P is repre- 



sented as 



2 b 

X 3 ~ X 1 + 2 



X 



45 Once again representing the coordinates in terms of the projective coordinates we obtain 



50 and 



4 4 

x 3 b x 1 + fc>z 1 



Z 3 = (*1*l) 2 



55 or 

x 3 = (x 1 + 4^/^) 
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B, ™Kn, b «. ft. ^.idna.y op^s ™» be - W— * « — 

tiplication operation for the r 3 term. We can precompute 

V* 

normal basis representation the computation of x, and z, » *«J? °* ™" y 

Spective values, while (x^) 2 is obtained by a srngle cydic M fof a ^ „ of m bits and cal- 

Applying the earlier out.ined "double and add" met Jod of figure 3^ ""^*Z%££m discussion a double 
culaSof £ defined over F 2 ™ requires at most (m-1 ) operations, while the add 

operation on points of an elliptic curve are ^^^££^^5^2^ * computed x-coordinate of kP 
operation is achieved by performing at ^.^^^l^^^crfon operations, 
using the method of this invention would require at most six t mes (m 1 mu«p b ^ determined . Ho wever. for each 
Once the x values have been calculated, ^^^^^eTnaTSi of obtaining a point 24P. both points 
x-coordinate there exists at most ^^^^^T^Sp I P = MP - Assume the x-coordinate x 23 of the point 
23P and P would be known, since 24P may be expressed as equation E and solving 

Z 23P have been obtained as described earlier Jhen^by £^J£££*S points A*- (x 2 , y 23 ro > and 
the resulting quadratic equation, two * alue * * into the ellip- 
B = (x 23 . y 23 h ■ Next, by «*J^"^^^^^o points thus obtained are stored. To the 
tic curve equation will produce two points (x 24 . y 24 ^ition to oroduce corresponding points A + P = (x a . y .) and 
point A + B are added, point P using ordinary point addition toprodura co esp a h« tivel lf none D f 

Tp = (x b , y b ) . respectively Pdnt (x yj is c^ 

r = kP = rx,y; . in this case one can drop the y-coordmate and produce a hash of a mes g ^ g 

e = hUx) The sender then sends to a recipient a message including a ^^^^ generated by the 
has the form s = (de + k) mod n , where d ,s ; the pnvate key of the «£. and ^ by ^ 

adding to fte m«»d described ^ ° Tm,y btnSS^pec, .o.^re 3 in coning .he x-coc 
1)P and x' of kP is shown generally by numeral 50. as may De . .uieu ^ 

dinate of kP the x-coordinate of (*-.)P is also jne (x< y) js on ^e 

Thus, initially substitute into the ^ c ^ e ^^° q P = J-y) by simple point subtraction 55. 

curve. Next at step 54 assign the point Q to (/./). ^ m ^ step 56 ail rt x» = x. then / is the y-coordi- 

and comparing the coordinate x" to the 1 . x -^ n rd '^ t n %° m ^ d ^ of tne invention to vesication of elliptic curve signa- 
Referring to figure 5. a further applicafon of an »«odnnanta*jn^ dent ! 0 includes a private 

tures is indicated generally by numeral 70. Once ^ nlT^mZr^ \he pdrA O ^ dP. In order to sign a 
Key random integer d and a ™^^»"^^ZZ aTasMunction' H. Next, a random integer * is 
message M. a hash value e .s computed from he ™J»££^ *P is calculated from the random integer fc. The 

-Tra^^ 

r and a message M is then transmrtted to ^^^SSS-^r^ key O of thefirst correspondent 1 0. A hash 
verffy the signature (r.s) on M, the second ^^^^^^S^. I H( M) . A value c = s^mod n is also cal- 
e- of the message M is calculated using the has ^ m( J ; and u2 = rc mod n . In order that the 
culated. Next, integer values u, and u 2 are calculated such that u , - ec moo n 



35 r 



40 



45 



50 
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signature be verified, the value t/ ? P + u 2 Q must be calculated. Since P is known and is a system wide parameter, the 
value u 7 P may be computed quickly using pre-computed multiple of R For example, these values may be combined 
from a pre-stored table of doubles of P, i.e. 2P, 4P, 8P, etc. On the other hand however, the point Q is current and var- 
ies from user to user and, therefore, the value u 2 Q may take some time to compute and generally cannot be pre-com- 
5 puted. 

However, by resorting to the expedient of the method disclosed in the subject invention, verification of the signature 
may be significantly accelerated. Normally, the point R = u 1 P + u 2 Q is computed. The field element x of the point 
R = (x,y) is converted to an integer z, and a value v = z mod n is computed. If v = r , then the signature is valid. 

Alternatively, a technique which takes advantage of "double & add" to compute u 2 Q if the modular inverse of u 2 is 
w calculated u 2 * = u 2 1 mod n , then R can be expressed as u 2 (u-i u 2 *P + Q), i.e. making use of the identity u 2 u 2 * = 1 . 
The value u n u 2 * is an integer and, therefore, may be easily computed. Thus, the point u 1 u 2 *P may be easily calculated 
or assembled from the previously stored values of multiples of P. The point O is then added to the point u y u 2 *P. which 
is a single addition, to obtain a new point R\ 

Thus, in order to verify the signatures, the recipient need only to determine the x coordinate of the value u 2 R\ This 
is calculation may be performed using the "double and add" method as described with reference to figure 3. If this is equal 
to r, then the signature is verified. The resulting value is the x-coordinate of the point u 1 P + u 2 Q. The value v = x mod n 
is computed and verified against r. It may be noted that in this scheme, the y-coordinate is not used in signature gener- 
ation or verification and, hence, computing is not mandatory. However, alternative schemes for both x and y-coordinates 
may be utilized in these cases and the y coordinate may be derived as described earlier or the two y-coordinates cor- 
20 responding to the given x-coordinate may be calculated and each used to attempt to verify the signature. Should neither 
satisfy this comparison, then the signature is invalid. That is, since verification requires computing the point 
R = U ! P + U 2 Q . This can be done as follows. Transmit only the x coordinate of Q, compute the x-coordinate of U 2 Q,, 
by using either the "double & add" of figure 3 or on E(F p ). Try both points corresponding to this x-coordinate to see if 
either verifies. 

25 Referring back to figure 1 if keys are transferred between the correspondents of the form kP then to reduce the 
bandwidth it is possible for the sender to transmit only one of the co-ordinates of kP and compute the other co-ordinate 
at the receiver. For example if the field elements are 1 55 bits for F 2 155 , an identifier, for example a single bit of the cor- 
rect value of the other co-ordinate, may also be transmitted. This permits the possibilities for the second co-ordinate to 
be computed by the recipient and the correct one identified from the identifier. 
30 Referring therefore to Figure 1, the transmitter 10 initially retrieves as the public key dP of the receiver 12, a bit 

string representing the coordinate x 0 and a single bit of the co-ordinate y 0 . 

The transmitter 1 0 has the parameters of the curve in register 30 and therefore may use the co-ordinate x 0 and the 
curve parameters to obtain possible values of the other co-ordinate y 0 from the arithmetic unit 20. 

For a curve of the form y 2 +xy = x 3 + ax 2 +b and a co-ordinate x 0 , then the possible values y -j ,y 2 for y 0 are the 
35 roots of the quadratic y 2 + x 0 y = x 0 3 + ax 0 2 + b . 

By solving for y, in the arithmetic unit 20 two possible roots will be obtained and comparison with the transmitted bit 
of information will indicate which of the values is the appropriate value of y. 

The two possible values of the second co-ordinate (y 0 ) differ by Xq, i.e. y 1 = y 2 +x 0 . Since the two values of y 0 dif- 
fer by x 0 , then y 1 and y 2 will always differ where a "1 " occurs in the representation of x 0 . Accordingly the additional bit 
40 transmitted is selected from one of those positions and examination of the corresponding bit of values of y 0 , will indicate 
which of the two roots is the appropriate value. 

The receiver 10 thus can generate the co-ordinates of the public key dP even though only 156 bits are retrieved. 
Similar efficiencies may be realized in transmitting the session key kP to the receiver 12 as the transmitter 10 need 
only forward one coordinate, x 0 and the selected identifying bit of y 0 . The receiver 12 may then reconstruct the possible 
45 values of y 0 and select the appropriate one. 
In the field 

50 

it is not possible to solve for y using the quadratic formula as 2a = 0. Accordingly, other techniques need to be utilised 
and the arithmetic unit 20 is particularly adapted to perfornyhis efficiently 

In general provided xq is not zero, if y=x 0 z then x 0 2 z 2 +x 0 2 z = x 0 + ax 0 2 + b . This may be written as 

55 2 b « 

z +z=x 0 +a+ — 1 = c. 
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z 2 + z = c * 4 16 n 2m-i or z = 1 + c + + c 2nv1 to provide two possible val- 

lf m is odd then either z = c + c + c + ... + c — 

Aslar solution exists lor the case where m is even that a.so u«.ises terms of the form 

c 



10 



This is particularly suitable for use with a normal basis representation in 

F? 



15 



As noted above, raising afield element in 



Ft 



°° ^^^^^^^^^^^^ 

of the values is determined by the additional bit transmrtted. 
The use of a normal basis representation in 



25 



30 



35 



40 



45 



50 



55 



therefore simplifies the protocol ^^"^F^X n * + b defi ned over 
If P = (x 0 y 0 ) is a point on the elliptic curveE . y +xy-x + ax 

afield 

n v, ic; defined to be the least significant bit of the field element y 0 • V 

dinate y 0 can be recovered as follows. 



parameter register 30 one position to the left. That is. if 
2. If xq * 0 then do the following: 



, -2 • p m 

2 1 Compute the field element c = x 0 +a + bx 0 in i- 2 • 
2 2 Let the vector representation of c be c = c m ^ c m . 2 --CiCo. 
23 Construct a field element z = z^z^.-z ,z 0 by setting 



10 
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zo=y o, 

Zi = Co © Zo, 
Z 2 = Ci © Zi, 



Zni-2 ~ © Zm-3, 

70 

Zm-1 ~ Gm-2 © Zm-2- 



rs 2.4 Finally, compute y 0 = x 0 • z . 

It will be noted that the computation of x'§ can be readily computed in the arithmetic unit 20 as described above 
and that the computation of y 0 can be obtained from the multiplier 48. 

In the above examples, the identification of the appropriate value of y 0 has been obtained by transmission of a sin- 

20 gle bit and a comparison of the values of the roots obtained. However, other indicators may be used to identify the 
appropriate one of the values and the operation is not restricted to encryption with elliptic curves in the field GF(2 m ). 
For example, if the field is selected as Zp p = 3(mod 4) then the Legendre symbol associated with the appropriate value 
could be transmitted to designate the appropriate value. Alternatively, the set of elements in Zp could be subdivided into 
a pair of subsets with the property that if y is in one subset, then -y is in the other, provided y*0. An arbitrary value can 

25 then be assigned to respective subsets and transmitted with the co-ordinate xq to indicate in which subset the appro- 
priate value of y 0 is located. Accordingly, the appropriate value of y 0 can be determined. Conveniently, it is possible to 
take an appropriate representation in which the subsets are arranged as intervals to facilitate the identification of the 
appropriate value of y 0 . It may be noted that one of the methods described earlier may also be sued to derive the coor- 
dinate. 

30 These techniques are particularly suitable for encryption utilizing elliptic curves but may also be used with any alge- 
braic curves and have applications in other fields such as error correcting coding where co-ordinates of points on 
curves have to be transferred. 

It will be seen therefore that by utilising an elliptic curve lying in the finite field GF 2 m and utilising a normal basis 
representation, the computations necessary for encryption with elliptic curves may be efficiently performed. Such oper- 
35 ations may be implemented in either software or hardware and the structuring of the computations makes the use of a 
finite field multiplier implemented in hardware particularly efficient. 

The present invention is thus generally concerned with an encryption method and system and particularly an elliptic 
curve encryption method and system in which finite field elements is multiplied in a processor efficient manner. The 
encryption system can comprise any suitable processor unit such as a suitably programmed general-purpose compu- 
te ter. 

Claims 

1 . A method of determining a multiple of a point P on an elliptic curve defined over a field 

45 

said method comprising steps of: 

50 

(a) representing the number k as a vector of binary digits /c,; 

(b) forming a pair of points P 1 and P 2 , wherein the point P 1 and P 2 differ at most by P; and 

(c) selecting each of said k, in turn and for each of said k h 

55 upon said k, being a one, adding said pair of points P 1 and P 2 to form a new point P 1 and adding said point 

P to P 1 to form a new point P 2 . said new points replacing said pair of points P 1 and P 2 \ or 
upon said kj being a zero, doubling said point P 1 to form a new point P 7 and adding said point P to form a 
new point P 2 , said new points replacing said pair of points Py and P 2 , whereby said product kP is obtained 
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from said point P 7 in M-1 steps and wherein M represents the number of digits in k. 

A method as described in claim 1 , said elliptic curve being of the form / + *y = * W + » and said field being 
selected to have elements 

A *(o<i<ni) 

that constitute a normal basis, 
resents the coefficients of 

A* 



in the normal basis representation of said vector. 
20 4. A method as defined in claim 3. said adding of points P, and P 2 utilises only said x co-ordinates of sad points P, , 
P 2 , and P r P 2 - 

5. A method as defined in claim 4. said x co-ordinate of said added points is obtained by computing 



25 



X 1*2 

Xrt + Xa = 2 



(x 1 +x 2 ) 

where x t ,x 2 are the x coordinates of P, and P 2 , x 3 is the x coordinate of P 1+ P 2 and x, is the x coordinate of P r P 2 - 
30 6. A method as defined in claim 5. including converting said coordinates to projective coordinates. 

7. A method as defined in claim 6, said coordinate x 3 being obtained by computing * 3 = x n 4 + bz , 4 . 
ss 8 A method as defined in claim 4. including computing a y coordinate of said point kP from said x coordinate by uti- 
lising an x coordinate of said point (k-1)P and said po.nt kP. 
9. A method as defined in claim 8. including computing a y coordinate of said point kP by substituting sad x coordi- 
nate of kP in said elliptic curve equation.. 

Z2^££££ZSt tfh. no-ocdina,e fnom .aid on* cc-ondina,. and said ajgataa.n nurvn. 

appropriate value of said other co-ordinate. 
so 12. A method according to claim 11 wherein said identifying information is a digital bit of said other co-ordinate that 
identifies the appropriate value of said other co-ordinate. 

omerlo ordinate, said identifying information indicating the approbate one of sa.d values. 
14. A method according to claim 13 wherein said ident«ying information is a digital bit of said other co-ordinate that 
identifies the appropriate value of said other co-ordinate. 



40 



45 



12 



BNSDOCID- <EP 0874307 AU_> 



EP 0 874 307 A1 



10 



15. A method according to claim 14 wherein said algebraic curve is an elliptic curve of the form y 2 +xy = x 3 + ax + b 
defined over a finite field F 2 m . 

1 6. A method according to claim 1 5 including the step of forwarding with said one co-ordinate identifying information of 
said other co-ordinate and utilising said identifying information and a discriminating function to determine the 
appropriate value of said other co-ordinate. 

17. A method according to claim 16 wherein said field GF2 m has field elements 



that constitute a normal basis. 

15 18. A method according to claim 17 wherein said other co-ordinate is determined by solving a quadratic equation to 
provide two possible values of said other co-ordinate, said identifying information indicating the appropriate one of 
said values. 

19. A method according to claim 18 wherein said quadratic equation is solved by summing terms of the form 

20 

from g = 0 to g = m-1 where 

25 

c = X 0 + a + 

Xo 

30 

and x 0 is said one co-ordinate. 

20. A method according to claim 19 wherein terms of the form 



are obtained by g fold cyclic shifts of the normal basis representation of c. 

40 21 . A method according to claim 20 wherein said algebraic curve is defined over the field Zp and said identifying infor- 
mation indicates the Legend symbol of the appropriate value. 

22. A method according to claim 21 wherein said curve is defined over the field zp and the elements thereof subdivided 
into a pair of subsets, one of which contains one possible value and the other of which contains the other possible 

45 value, said indicating information identifying the subset containing the appropriate value. 

23. A method of encrypting data using the method ol any preceding claim. 

24. Encryption apparatus for encrypting data comprising: 

50 

input means for inputting data; 

encryption means for encrypting the data using the method of any preceding claim; and 
output means for outputting encrypted data. 

55 25. A signal representing data encrypted using the method of any one of claims 1 to 23. 

26. Apparatus for determining a multiple of a point P on an elliptic curve defined over a field 
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the apparatus comprising: 



t*\ moanQ for renresentina the number k as a vector of binary digits kf t 

ZSZSSSZSi* Points P, and P 2 , wherein the point P, and P 2 differ at most by P; and 
(b) means tor selecting each of said k, in turn and for each of said k,. 

upon said /c,being a one. adding said pair of points P, and P 2 to form ^ point P, and adding said point 
p ♦« P tn form a new ooint Po said new points replacing said pair of points P, and P 2 , or 

coordinate and parameters of said algebraic curve. 
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Kp 



K = (Ki,K 2 , K 3 ...K M )2 



P, = P,P 2 = 2P 



for i = 2 to M do 




P,=Pl+P2, 

P 2 = Pi + P 



I 



No 




Pi=2Pi, 
P 2 = Pi+P 



Pi = kP 

P 2 = (K+1)P 



FIGURE 3 
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x[{k - 1)]; x'[kP ] 



/compute y' 
using x' in E 



LetQ = (x' y) 
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d, Q = dP 




k, kP = (x, y) 




e = h(M) = 




z = x-coordinate of (x, y) 




s — z mod n 




s = k" 1 (e + dr) mod n 




(s,r) 




(m) 





Look-up 
e = H(M) 
c = s" 1 mod n 
ui = ec mod n 
U2 = rc mod n 

(xs, ys) = u,P + u 2 Q 

calculate U\ = U; 1 modn 

calculate V^U^ 

build U,U X 2 P 

addQ 

r = (u,u;p + Q) 

calculate U 2 R using only x- 
coordinate 

check U 2 R = r 
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